ServiceNow Security Operations Addon, unable to create a Security Event (snsecevent)Issue Users may encounter the following error when attempting to create a Security Event for the Splunk console: command="snsecevent", ERROR Unable to create Security Event, response code 400 :Bad request via REST call to https://instance_name.service-now.com/api/now/table/em_eventReleaseAll versions of ServiceNow Security Operations add-on for Splunk.CauseThe error is caused by insufficient permissions granted to the OAuth 2.0 client application. Specifically, the client lacks the necessary scope to create entries in the em_event table.ResolutionTo resolve this issue, follow these steps to configure the appropriate authentication scope: 1. Create a new authentication scope: - Navigate to the Authentication Scope (sys_auth_scope) table - Click "New" to create a new scope - Name it "security_events_write" (or similar) - Provide a description for the scope 2. Associate the scope with the Security Events API: - Go to System Web Services > API Auth Scopes > REST API Auth Scope - Click "New" to create a new record - Set the Name field - Select the Auth Scope created in step 1 - Choose the REST API for Security Events (likely "Now Support API" or a custom API for em_event) - Set "Apply auth scope to all resources in this API" to false - Select the specific resource for creating events (e.g., "/api/now/table/em_event") 3. Update the OAuth Application Registry: - Navigate to System OAuth > Application Registry - Find and open the OAuth client application used for Security Events - In the "Scope" field, add the newly created "security_events_write" scope - Save the changes 4. Update your application to request the new scope: - Ensure your application requests the "security_events_write" scope when obtaining an access token 5. Test the integration: - Obtain a new access token with the updated scope - Attempt to create a Security Event using the new tokenRelated Links- Authentication scopes provide granular control over API access for OAuth clients- Scopes are available from the Tokyo release onwards- Always follow the principle of least privilege when granting scopes to OAuth clients By following these steps, you should resolve the 400 Bad Request error and successfully create Security Events via the API. Restrict access available to OAuth Client using REST API Auth Scopeshttps://www.servicenow.com/community/platform-privacy-security-blog/restrict-access-available-to-oauth-client-using-rest-api-auth/ba-p/2524938 REST API access policieshttps://www.servicenow.com/docs/csh?topicname=inbound-authentication-profile.html&version=latest ServiceNow Security Operations Addonhttps://splunkbase.splunk.com/app/3921